Syria's man-in-the-middle attack on Facebook

Someone in the Syrian telcoms authority is running a clumsy man-in-the-middle attack against Facebook; activists who try to access the site in Syria using SSL get a message saying that the certificate doesn't match. The forged certificate that the telcoms authority is attempting to insert comes from Digi-Cert High Assurance CA-3. I got this wrong -- this is the correct cert; the bogus one is issued by "Facebook Inc". Though the attack is clumsy (it sends up a security warning), many unsophisticated users probably won't understand the warning and could be in danger.

The attack is not extremely sophisticated: the certificate is invalid in user's browsers, and raises a security warning. Unfortunately, because users see these warnings for many operational reasons that are not actual man-in-the-middle attacks, they have often learned to click through them reflexively. In this instance, doing so would allow the attackers access to and control of their Facebook account. The security warning is users' only line of defense.

Yikes. I hope the Facebook admins are paying attention. People will be raped, tortured and killed based on their FB data. It might be best simply to cut Syrian IP addresses off from Facebook access for the moment.

I don’t know many supposedly “sophisticated” users that would have correctly deduced which one was valid, and which one was invalid. The fact that the writeup got it confused, illustrates this point.

Fingerprints are great, but no one knows what they should be. Seriously. I ssh into a machine and it throws a warning saying, “This machine has the fingerprint [big-long-hex-string]. Do you trust it?” Everyone says yes. No one confirms. Hell, not many people even know how to confirm this.

I’ve rejected perhaps two certificates in my entire time on the Internet. Both of which were essentially blank. (e.g. “Organization: Some Organization” It litterally said, “Some Organization.” I took a screenshot.)

I don’t know who issues certificates, and I don’t know what a valid certificate looks like from these places. This is a problem if we expect users to know this stuff.